Description
An exact value or random number can be precisely predicted by observing previous values.
Modes of Introduction:
– Architecture and Design
Related Weaknesses
CWE-340
Consequences
Other: Varies by Context
Potential Mitigations
Phase:
Description:
Increase the entropy used to seed a PRNG.
Phase: Architecture and Design, Requirements
Description:
Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C (“Approved Random Number Generators”).
Phase: Implementation
Description:
Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.
CVE References
- CVE-2002-1463
- Firewall generates easily predictable initial sequence numbers (ISN), which allows remote attackers to spoof connections.
- CVE-1999-0074
- Listening TCP ports are sequentially allocated, allowing spoofing attacks.
- CVE-2000-0335
- DNS resolver uses predictable IDs, allowing a local user to spoof DNS query results.
